Professional Documents
Culture Documents
TI Alert - BlackCat - Ransomware - 2024-2-29 - 64857
TI Alert - BlackCat - Ransomware - 2024-2-29 - 64857
Intelligence
Alert
BlackCat: Ransomware
The ALPHV Blackcat Ransomware 2.0 Sphynx update was released by ALPHV Blackcat
administrators. It was rewritten to give affiliates more features like improved defense evasion
and more tooling. This ALPHV Blackcat upgrade can encrypt virtual machines (VMWare
instances) and Windows and Linux devices. ALPHV Blackcat affiliates are well-versed in
ransomware and data extortion, and they have large networks. The logs on the exchange server
are deleted after installation on the domain controller. Data about the victim is then downloaded,
moved, and/or exfiltrated using Mega.nz or Dropbox. Following the deployment of the
ransomware, a file.txt with the ransom letter is included. Affiliates have also reportedly
terminated security processes using STONESTOP and POORTRY, according to public
reporting.
Privilege Escalation
Remote Code Execution
Information Theft
Data Encryption
Data Exfiltration
Man-In-The-Middle
Command And Control Vulnerable System
Microsoft Windows
VMware WorkStation System Software
Linux Operating System
SHA256 :
c64300cf8bacc4e42e74715edf3f8c3287a780c9c0a38b0d9675d01e7e231f16
1f5e4e2c78451623cfbf32cf517a92253b7abfe0243297c5ddf7dd1448e460d5
3670dd4663adca40f168f3450fa9e7e84bc1a612d78830004020b73bd40fcd71
Threat Intelligence Alert - 64857
af28b78c64a9effe3de0e5ccc778527428953837948d913d64dbd0fa45942021
bbfe7289de6ab1f374d0bcbeecf31cad2333b0928ea883ca13b9e733b58e27b1
5d1df950b238825a36fa6204d1a2935a5fbcfe2a5991a7fc69c74f476df67905
bd9edc3bf3d45e3cdf5236e8f8cd57a95ca3b41f61e4cd5c6c0404a83519058e
732e24cb5d7ab558effc6dc88854f756016352c923ff5155dcb2eece35c19bc0
SHA1 :
d6d442e8b3b0aef856ac86391e4a57bcb93c19ad
6b52543e4097f7c39cc913d55c0044fcf673f6fc
004ba0454feb2c4033ff0bdb2ff67388af0c41b6
430bd437162d4c60227288fa6a82cde8a5f87100
380f941f8047904607210add4c6da2da8f8cd398
1376ac8b5a126bb163423948bd1c7f861b4bfe32
Threat Intelligence Alert - 64857
MD5 :
944153fb9692634d6c70899b83676575
efc80697aa58ab03a10d02a8b00ee740
c90abb4bbbfe7289de6ab1f374d0bcbe
341d43d4d5c2e526cadd88ae8da70c1c
34aac5719824e5f13b80d6fe23cbfa07
eea9ab1f36394769d65909f6ae81834b
379bf8c60b091974f856f08475a03b04
824d0e31fd08220a25c06baee1044818
ebca4398e949286cb7f7f6c68c28e838
c04c386b945ccc04627d1a885b500edf
Domains:
fisa99[.]screenconnect[.]com
resources[.]docusong[.]com
IPV4 :
91[.]92[.]254[.]193
5[.]199[.]168[.]24